Calif. Sues Delta For App Privacy Violations

California attorney general opens suit after Delta ignores warnings about its nonexistent app privacy policy. This may be a small part of the airline's larger technology problems.

Has Delta's smartphone app program been left to fly on autopilot?

That's one possible explanation for why Delta failed to address a written notice from California, sent in October, which warned that unless the airline updated its mobile apps within 30 days to include a privacy policy, the state would sue it for violating privacy laws.

As promised, California's attorney general, Kamala D. Harris, Thursday filed a groundbreaking civil lawsuit against the airline in San Francisco state court. The lawsuit accuses Delta of violating both the 2004 California Online Privacy Protection Act and California's Unfair Competition Law by failing to post a conspicuous privacy policy for its mobile "Fly Delta" app, which debuted in 2010. By conspicuous, the state means that the privacy policy should be "reasonably accessible to consumers within the apps."

According to the lawsuit, "despite collecting substantial personality identifiable information (PII) such as a user's full name, telephone number, email address, frequent flyer account number and PIN code, photographs and geo-location, the Fly Delta application does not have a privacy policy." As a result, it said, "users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed or sold."

"Losing your personal privacy should not be the cost of using mobile apps, but all too often it is," Harris said in a statement. "California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information."

The state's lawsuit seeks to prohibit Delta from distributing its mobile app until it posts a privacy policy, and requests a $2,500 fine for every non-compliant app that's been downloaded by consumers. "FlyDelta has been downloaded over 1 million times on Google Play store alone. That's $2.5 billion in potential penalties," said Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, via Twitter.

A Delta spokesman didn't immediately respond to an emailed request for comment about how the airline intends to respond to the lawsuit.

What's perplexing about this case is that the lawsuit could have easily been avoided. Harris first began warning about the state's mobile-app privacy policy enforcement plans in February, when she announced a legal settlement with the six largest mobile app distribution platforms. That settlement included a set of privacy principles that will allow consumers to review an app's privacy policy without having to first download or install the app.

Subsequently, the state began directly cautioning mobile-app developers who failed to post a privacy policy both online and in their app. In letters dated Oct. 29, Harris notified numerous businesses -- which collectively develop as many as 100 different mobile apps -- that they were breaking California privacy law, and had 30 days "to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected."

On Oct. 31, Delta spokeswoman Chris Kelly Singley confirmed to InformationWeek via email, "We have received the letter from the attorney general and intend to provide the requested information."

More than 30 days later, what accounts for Delta's failure to include a privacy policy in its Fly Delta app, which is available for Android, BlackBerry, iOS and Windows Phone devices? Interestingly, every platform version of the app has recently garnered withering reviews for its slow response time, as well as for requiring a PIN code, which Delta previously issued to all new website users. But while Delta has discontinued issuing new PIN codes, its mobile app still requires one. That led one reviewer at the iTunes store to note of the app: "Will only let you login with a pin, and the Delta website says they've switched from pins to passwords (login will only let you continue with a pin). I'm deleting this app immediately."

User reviews also note that the Windows Phone version of the app remains incompatible with Windows Phone 8, which was released more than a month ago. Likewise, some BlackBerry users with recently released handsets said the BlackBerry version of the app fails to work on their device.

In other words, irrespective of the California privacy-lawsuit warning, Delta hasn't been updating its mobile applications lately. Combined with the company's recent decision to drop PINs for passwords -- which appears to be a work in progress -- does the airline currently have more technology challenges on its plate than the company's developers can handle?

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.